My blog is about security and optimization of Windows system, it will be useful to beginners who needs informations to secure & optimize their system or more advanced users who need to know more about security softwares.

My configuration is made by virtue of the layered protection idea.All my security softwares are selected specifically to run together without conflict, i set them for maximum compatibility/protection with the lowest resources usage possible.This kind of combo is not suited for beginners since many settings and tweaks must be done to make it fully functionnal and system-safe

First thing to do after installing your OS and before browsing the net is to do a clean backup of your system.
no system must be without a imaging backup solution, so if all of the layers below fails, you still get back your system

3- Rollback(for paranoid users)

Rollback RX and Returnil are the mostly known program to do it, it is a fastest and more secure "system restore" because it take a complete snapshot of your system (unlike Windows' Restore Points that save only parts of the system) and allow you to save/restore it in a minute
note that rollback softs don't fit well with installed imaging programs.
On my Config, it is the first thing i installed after doing a backup, so i will have a clean "baseline" from where i can test/install/update things knowing i can revert to a clean state if something goes wrong.
note that rollback softwares are not recommended to use with an [b]installed [/b]imaging backup software.

4- Light Virtualization(for paranoid users)

Light Virtualization softwares are mostly system-wide , they functions like sandboxes but affect your whole system, isolating any changes in your system after their activation until the reboot; so you can test malwares, softs, etc...
Shadow Defender, Timefreeze, Deepfreeze are the most famous ones, in my case i use Shadow Defender on boot.

5- Sandboxes

Sandboxes are programs that virtualize what is run inside them isolating them from yourr real system.
they are mainly used with browsers so if you catch a malware on a malicious website , it will not affect you.
Sandboxie or Bufferzone are the most famous one.
i install Sandboxie before going into internet and use it to isolated my browsing in search of softwares to install. so im sure i will not be infected.

6- Secured DNS

DNS servers are like adresses books of the web, Your Internet provider gave you a basic DNS server to allow you to surf, some vendors like Norton/Comodo removes malicious websites adresses giving you more security while browsing.
i change my default DNS to a secure one also before browsing to minimize the risks.

7- Firewall (Important)

to secure my system a bit more before browsing, i install the Firewall before the Anti-Virus.
A firewall will monitor you inbound/outbound connections. I use them to control what going out of my system (ex: trojan downloaders or rootkits calling home) rather than protect me from attackers (quite rare now if you are a common user without sensitive datas).

8- Main Antivirus (Important)

Now that my browsing is secured by the steps above, i can install my AV.
choose any AV you like (lighter is better) it will be your first line of defense against malwares, my favorites are Avast, AVG, ESET Nod32 or Emsisoft AM.

a- Web Filters/DNS checkers

Web Filters like "Panda Cloud URL filter" or "Bit Defender Trafficlight" will check/scan the website you visit for malicious code/script/executables that may infect your system and block you from accessing it, some AVs incorporate them in them.

b- Behavior Blockers/HIPS

this will be one of your 0-days malware protection, some AV & Firewalls integrate them. Both are compatible and be used together.

BBs are more user-friendly since it will monitor the behavior of a process and ask for you only if it cant decide.

HIPS are more destined for advanced users since they ask for almost every processes events.

9- Companion Antivirus(for paranoid users)

in case your main AV misses some malwares , the companion will help filling the hole, they will also add some features your main AV may not have. Emsisoft AM, webroot SA, Kingsoft AV , MBAM Pro are very good at that.

10- Anti-keyloggers(for paranoid users)

Programs like Keyscrambler , spyshelter, Zemana Antilogger protect your system from keyloggers that record your keystrokes and sent them to the cyber-criminals, mostly using your banking credentials.

so if your are an heavy online banking/shopping users , this kind of softwares will increase your security. note that most AVs detects keyloggers.

11- Browsers & addons

Now i can go surfing but since i want be totally protected i will choose to secure my surfing a bit.
Internet browsing are the main vector of infection so some browsers like Chrome offers many built-in secured features (integrated sandbox for flash player, pdf reader, etc..). Also you can improve your security by adding addons to them (HTTPs everywhere, Ghostery, Noscripts, etc...)

12 - YOU(Important)

The final and most important layer is YOU, yes, the user; you must have the right habits on what you do with your computer:

- Surf properly, don't go to suspicious websites and check the website you go is the real one.
- Download smartly, always download from the vendor websites or at least a reecognized and legitimate website.
- Don't run files of a unknown USB you found, check them first.
- Don't use Crack/keygens outside a virtualized application.
- Don't give your credentials to anyone even your family members, i can tell you stories how i got credentials by doing social engineering.

Final Note:

If you follow the steps above, you will greatly minimize the risks to be infected and loose your system and datas.note that some suite incorporate many of the element above.

Personally, when i boot, my system is right away virtualized under Shadow Defender, then my AVs/FW load, then i can go surfing with Chrome isolated by Sandboxie.

Ok guys, since i got many requests for setting EIS for max protection, this is my guide:

Emsisoft AM

Behavior Blocker

Nothing to change , let all boxes ticked

Alert Setting

I wanna keep the cloud rating, so i let the community based alert reduction ticked, but i augmented/decreased the percentage to my needs; i also activate the Paranoid mode.

File Guard

"Scan all files when they are read" is the most important choice here; it will block the file even during a download or extraction.

Surf Protection

nothing special to say here, just do like the screenshot (or set to Alert if you want more contro)l

Hosts Rules

tick the 2 boxes, the nice features of EAM is the fact that you can add your own hosts rules to those already in place in EAM, personally i imported those of MVPSby clicking "Import Host Files" at the bottom of the tab.

Configuration

Nothing special here, follow the screenshot

That is all for EAM side

Online Armor Premium

Firewall

I have personally no special rules, so i let it by default unless i want to block a particular process/IP adress.

Domain

This is the "banking mode" configuration tab, all url entered will be either trusted, blocked or protected.

Program

The HIPS of OAP, if you are truly paranoid, untick "Automatically trust programs that Emsisoft deems trustworthy", personally i found Emsisoft quite paranoid so i let it ticked to avoid a shower of popups.

[b]File and Registry[/b]

Here you protect your registry base and files, by editing rules, anyway just tick all the boxes.

Autorun

No setting here until a process is flagged then you can Allow, block and delete it.

Anti-keylogger:

same as Autorun

Host files

OAP can monitor any access to the Hosts File , a behavior commonly used by malwares to block you from antivirus websites.

just let the box ticked (in options)

Options -> Firewall

You can block all traffic during boot but you will have to wait that OAP will finish to load to get your internet access.

That is all for OAP

Note

This guide is the "default" paranoid mode , designed for all users and not for specific systems (with personal firewall/registry/files rules )

OK, since i have some request to how i set ESET for max protection; there the answer. (picture based with annotations)

Warning:

- This setting may have a negative impact on resources usage and responsiveness for low-end machines.
- This setting will generate more alerts than default setting and may hamper your browsing experience.

first of all, we go to Setup > Enter Advanced Setup

1- COMPUTER

A- Antivirus and Anti-spyware

B- Real-Time System Protection

Tick all boxes, then enter setup:

- Object: tick all
- Options: Tick all

"Advanced heuristics/DNA/Smart signatures – Advanced heuristics consist of a unique heuristic algorithm developed by ESET, optimized for detecting computer worms and trojan horses and written in high level programming languages. Thanks to advanced heuristics, the detection capabilities of the program are significantly higher. Signatures can reliably detect and identify viruses. Utilizing the automatic update system, new signatures are available within a few hours of a threat discovery. The disadvantage of signatures is that they only detect viruses they know (or their slightly modified versions)."

"Alternate data streams used by the NTFS file system are file and folder associations which are invisible by ordinary scanning techniques. Many infiltrations try to avoid detection by disguising themselves as alternate data streams."

D- Document Protection

Enable it

-ThreatSense Engine parameter setup: same as Step 1-B

E- Startup Scan

Same as step 1-B

F- Idle-State Scanning

Enable it if you need it, ThreatSense settings is same as Step 1-B

G- Exclusions

Set there any other security apps you have.

H- Removable Media

create rules for every USB/Ext-HDD/pendrives/mobile phones you own, so you will be protected from infections

I- HIPS

The most complicated part, i suggest you to set it on "Learning Mode" for few hours, during this time, you will have to launch every softwares/windows tools you used to use and known to be safe (mostly those that don't need an internet connection to run).
After you will set the HIPS to "Interactive Mode".

-Advanced Setup: Tick all

2- NETWORK (under testing)

A- Personal Firewall

i found ESET Firewall quite good especially with its IDS feature, that block malwares at the network level), Set it to "Interactive"

Rule and Zone

i let it as default, you may change some rules later depending your system.

IDS and Advanced Options

my favorite firewall feature

"The IDS and advanced options section allows you to configure advanced filtering options to detect several types of attacks that can be carried out against your computer."

Wednesday, April 17, 2013

Today i will do an "out-of-the-box" review of SUPERAntispyware Pro on a real system (dedicated Rollback RX snapshot with Win 8 x64 Pro up-to-date)

SuperAntispyware was before one the references against spywares and similar threats; now they are also an anti-malware product; and can be used alongside your main security solution. Let see how it perform.

SUPERAntiSpyware has been designed to be compatible with popular anti-virus and anti-spyware applications such as Spybot, Malwarebytes, Ad-Aware, AVG, McAfee, Norton, Symantec, Kaspersky, Webroot, PC Tools, etc.
SUPERAntiSpyware should co-exist and compliment any security application. We have designed SUPERAntiSpyware to work seamlessly with your operating system and other software applications.

1- Installation

Classic installer, no toolbars bundled, no reboot, it will update its signature database at the end of the installation.

2 - Resource Usage

2 processes for around 10mb RAM (with some peaks at 60+mb, its quite light; i dont feel slowdowns.

Note that the amount of I/O write bytes is quite high.

During scan the RAM rises to around 100+mb and CPU to 50%.

3- Interface

The interface is a bit "old style" but all the main informations are displayed.

we can see the "Rescue Scan" option, may be useful on infected systems.

Rescue scan should only be enabled when malware is consuming so many system resources that you are unable to run a scan. Rescue scan attempts to steal back some of those resources. If you are able to run a scan normally

Note: the "Find out what's running on your computer" feature is a link that works only with Internet Explorer

The browser you are using is not supported
The FileResearchCenter.com "Find out what's running..." report supports Internet Explorer running on the Microsoft Windows XP, Windows Vista, and Windows 7 platforms.
To run the report, please open Internet Explorer and use it to navigate to the following web page:
http://www.fileresearchcenter.com/whatsrunningpre.html

A relatively unknown compatibility feature of NTFS, Alternate Data Streams (ADS) [b]provides hackers with a method of hiding root kits or hacker tools on a breached system[/b] and allows them to be executed without being detected by the systems administrator.

Tuesday, April 9, 2013

Today i decided to review Avast IS (aka AIS), most of you knows the (in)famous free Antivirus and its many features; in this review, i will show you all the aspect of AIS.

Avast's Products Comparison

Introduction

avast! is a package of applications that aim to protect your computer from a possible virus infection or other malware threat. If you use it correctly, and in combination with other programs such as data backup utilities, it will significantly reduce the risk of your computer being attacked or infected by a virus, and thus the risk of losing important or private data.Based on the award-winning avast! antivirus engine, avast! antivirus 7.0 contains all of the features you would expect in a modern antivirus program. It incorporates anti-spyware technology certified by West Coast Labs' Checkmark process, as well as anti-rootkit and strong self-protection capabilities, but now provides even faster scanning with improved detection ability. It contains several real-time "Shields" which continuously monitor your email and internet connections and check the files on your computer whenever they are opened or closed.avast! antivirus 7.0 includes an AutoSandbox so that suspicious applications can be run automatically in a safe, secure environment without the risk of any damage being caused to your system. It also includes the optional avast! WebRep feature, which provides you with information about the content and security of websites that you visit based on ratings provided by the avast! user community.avast! Internet Security 7.0 offers a number of additional features, including the avast! SafeZone, which allows you to manage your sensitive transactions in a private, secure area, invisible to the rest of your system. avast! Internet Security 7.0 also comes with an antispam filter and built-in firewall.

ok now you have briefly saw what it contains, let 's go for a deeper tour ! :

User Interface

The UI of Avast is quite simple in its use , beginners can found what they look for quite easily.
The UI enables you to check the current status of your protection, to adjust the program settings and to launch manual scans.

On the left side of the window, you will see a number of navigation tabs, which can be used to access other parts of the program:

SUMMARY- contains current status information, access to avast! iNews for latest information, statistical and community information.SCAN COMPUTER - enables you to run a manual virus scan, to schedule a boot-time scan and to view the scan results.REAL-TIME SHIELDS - provides access to all the shield settings.FIREWALL - provides access to the firewall settings.ADDITIONAL PROTECTION - contains the AutoSandbox, Browser protection and Site Blocking features. If you need help, you can use the Remote Assistance feature to enable another person to connect directly to your computer. You can also find the SafeZone and Sandbox screens and Antispam settings.MAINTENANCE- to update your program or virus definitions or to access the virus chest.

1- Summary

Current Status
By clicking on the drop-down arrow below your protection status, you can see more details about your protection status:

- Real-time shields: tells you if you are protected in real-time.
- Firewall: Tells you if the Firewall is enabled.
- Definitions auto update: This will ensure you always have the most up to date virus definition and that you are protected from the latest threats.
- Virus definitions version :this tells you whether the virus definitions that are used to identify potential threats are currently up to date.
- Program version: this tells you whether you are using the latest version of the program.
- Expiration date: here you can see the date until which your current license is valid.

Cloud Services
Avast heavily rely on its cloud services gaining then redistributing signatures and informations to its users.

- [i]Streaming (real-time) updates [/i]: The streaming updates, will makes sure that new virus definitions are sent to you in real-time, rather than waiting for the next update. As your virus database will be continuously updated, this will give you even more protection against the very latest "zero-days malwares".
- [i]File Reputation [/i]: AIS will check if a file is safe even before it is opened, by checking its database of known files. Whether the file is considered safe or not will be determined by how common the file is among other avast! users, and for how long the file has been in existence

Statistics
Just a statistic page, that shows you what was scanned by AIS and when.

2- Scan Computer

This tab shows you the various kind of scans available, you can adjust the options of each scan separately.

Quick scan - this will just perform a quick scan of your computer's system volume (usually the C:\ drive on your computer).
By default, only files with "dangerous" extensions are scanned, e.g. files with extensions such as "exe", "com", "bat" etc. Only those parts of the file at the beginning and at the end, where infections are normally found, are tested.

Full System Scan - This performs a more detailed scan of all your computer's hard disks and by default, all files are scanned according to their content, in other words, avast! looks inside every file to determine what type of file it is and whether it should be scanned. The whole file is tested, not just those parts of the file at the beginning or at the end where infections are normally found.

Removable Media Scan- this will scan any removable media that is attached to your computer e.g. USB flash drives, external hard drives etc. It will scan the media to detect potential "auto-run" programs that may try to launch when the device is connected.

Select folder to scan - this option enables you to scan just a specific folder or multiple folders.

You can adjust the options of each scan:

- Scan parameters:
- Sensitivity: you can adjust the basic sensitivity, which determines how deep the files are scanned, and also the heuristic sensitivity
-Packers: you can specify which types of archive file are checked when scanning.
- Actions: you can specify the action that should be taken automatically whenever a virus, potentially unwanted program (PUP), or suspicious file is detected.
- Performances: Here you can adjust the priority of the scan when system resources are also needed by other applications and also you can configure the "persistent cache settings". AIS can store information about files that are verified as clean and this information can then be used to speed up future scans
- Report file: you can create a report of the scan results.
- Exclusions: Here you can enter or modify locations that should not be scanned
- Scheduling: you can schedule a scan to run once, automatically on a given day and time, or to run regularly on a daily, weekly or monthly basis.

Boot-Time Scan
One of my favorite feature of Avast, it is possible to start a scan automatically when the system restarts (when the computer "boots"), before the Operating System is active. This is useful if you suspect that a virus may have been installed on your computer, as it will enable the virus to be detected before it is activated and before it can do any damage to your computer.

Scan Logs
This tab will just displays a list of all scans that have been run and the their results.

3- Real-Time Shields

The prevention parts of AIS, this nicely made tab will shows you all the available modules most of them contains many options that allows the users to tighten their configuration.The real-time shields are the most important part of the program, as they are working continuously to prevent your computer from becoming infected. They monitor all your computer's activity, checking all programs and files in real-time - i.e. at the moment a program is started or whenever a file is opened or closed.Normally, the real-time shields start working automatically whenever your computer is started. The presence of the orange avast! icon in the bottom-right corner of your computer screen tells you that the real-time shields are working. Any of the shields can be turned off at any time, but this is not normally recommended as it may reduce the level of your protection. If any of the shields is turned off, you will see a warning message whenever you open the user interface telling you that your computer is not fully protected (if one or more shields are turned off) or "Unsecured" (if all the shields are turned off).

File System Shield
It checks any programs at the moment they are started and files at the moment they are opened/closed. If something suspicious is detected, the file system shield will prevent the program/file from being started/opened to prevent any infection to your computer and data.

Mail Shield
This Shield checks incoming and outgoing email messages and will block any messages containing a possible virus infection from being accepted or sent by the user.

Web Shield
It protects your computer from malware while using the internet (browsing, downloading files, etc). It will detect and block known or potential threats coming from the web (hacked websites infected with malicious code). If a virus is detected while downloading a file, the download will be stopped to prevent the infection from reaching your computer.

Network Shield
It monitors all network activity and blocks any threats that are detected on the network. It also blocks access to known malicious websites based on the avast! database of infected URLs. This shield has no options.

Script Shield
It detects malicious scripts and prevents them from being run. The script shield will detect and block not only malicious scripts coming from the web (remote threats) but also scripts coming from other sources, such as web pages saved to disk or in the browser cache (local threats).
Unlike the "web shield", the script shield can also detect and block malicious scripts that come from HTTPS (encrypted) connections.

Behavior Shield
The Behavior Blocker of AIS. It monitors all activity on your computer and detects and blocks any unusual activity that might indicate the presence of malware. It does this by continuously monitoring your computer's entry points to identify anything suspicious.

For me, this shield is one of the modules that needs a real improvement, it has a tendency to block some very well known processes that are truly legitimate; in my case, it blocks an IDM process, making it crashes until i found out why.

4- Firewall

The firewall monitors all communication between your computer and the outside world and blocks unauthorized communication based on a number of "allow" and "deny" rules. In this way, the firewall can prevent sensitive data from leaving your computer and can also block attempted intrusions by external hackers.

Firewall Settings
Three security levels are available:

Home/low risk zone - suitable when using your computer as part of a home/private network. If this setting is selected, the firewall will allow all communication with the network.Work/medium risk zone - suitable for when your computer is connected to a wider public network, including direct connections to the internet. This is the default setting and if selected, the firewall will allow communication in and out only if allowed by the "Application Rules". If no rule has been created, you will be asked to confirm whether or not communication with a particular application should be allowed.Public/high risk zone - suitable when using your computer to connect to a public network and where you want to ensure the maximum level of security. This is the most secure setting and if selected, no incoming communication will be allowed, effectively making your computer completely invisible to others.

Network Connections
This tab just shows you the connections that are currently open, or were open recently on your computer. You can get more details about the specific IP address, or trace the route taken by a piece of data to get to or from your computer.

Application Rules
you can set the communication rules for specific applications. The firewall will then follow the application rule whenever a particular application tries to establish a connection with the Internet or with another network set as "Friend" or not.

5 types of rules are available:

- Friends out
- Friends in/out
- Internet out
- Friends in and Internet out
- All connections

"Friends out" - is the most secure setting as no incoming connections will be allowed and outgoing communication will only be allowed with networks defined on the Friends page in the expert settings.Connections to the Internet automatically include connections to Friends. For example, "Internet out" automatically includes "Friends out". If "Friends in and Internet out" is selected, outbound connections to the Internet will be allowed, plus both inward and outbound connections with Friends. If "All connections" is selected, all incoming and outbound connections will be allowed.You can further specify how to deal with connections above the selected level, for example, if an incoming connection from the Internet is detected, but the access level is set only to "Internet out":"Block" - such connections will never be allowed."Auto-decide" - the connection will normally be allowed, however any suspicious connections will be automatically blocked. This will be based partly on a large white-list database of safe applications maintained by avast! "Ask" - you will see a message asking you to confirm whether or not the connection should be allowed.

Network Utilities
Here you can find out more information about specific IP addresses and you can also see a map of the route (similar to "Traceroute") that a piece of data packets takes to get to or from your computer.

The avast! antispam filter analyses all incoming email based on various criteria to determine whether it is legitimate. This analysis is based partly on a "blacklist" containing the addresses of senders from whom emails should always be marked as spam, and a "whitelist" which contains the addresses of known and trusted senders.

Sandbox
The avast! Sandbox is a special security feature that allows you to browse the web, or manually run another application, in a completely safe environment, isolated from the rest of your system.

This is especially useful when visiting potentially infected websites, or if you suspect an application may be infected - you can run the program (or your web browser) inside the sandbox to determine whether or not it is safe, while remaining completely protected against any malicious actions that it may try to carry out.

Auto-sandbox
By default, if an application is started and avast! detects anything suspicious, it will automatically run the application in the Sandbox.

Safezone
The "banking mode" of AIS, the SafeZone, you will use it via a special interface and browse the net with a modified version of Chromium browser.

Allows you to browse the web in a private, secure environment, invisible to the rest of your system. For example, if you do your banking or shopping online, or other security-sensitive transactions, you can be sure that your personal data cannot be monitored by spyware or key-logging software. If you go to a banking site which is recognized by avast, you will be automatically prompted to use the SafeZone browser for your online transactions. Unlike the avast! Sandbox, which is intended to keep everything contained inside so that it cannot harm the rest of your system, the avast! SafeZone is designed to keep everything else out.

Browser Protection
Here you can specify whether your web browsers should always be started in the Sandbox, so that you are always protected from any threats from the Internet.
Here you can also enable the WebRep feature and the Phishing filter, if they are available for your browser.

Remote Assistance
The remote assistance tool enables you to give another person remote access to your computer or provide remote help to another person. This can be useful if you are having any difficulties and you want another person to take control of your computer to help resolve the problem.

Not to say, don't allow allow any incoming assistance from someone you don't know ;)

Site Blocking
The parental control of AIS, you can enter the URLs of any websites that must be blocked so that they cannot be viewed in any browser. This feature can be used to block access to sites that you do not want children or other users to be able to access.

6- Maintenance

This tab gives you access to some maintenance options including:

- Updates: shows you the relevant informations about the signatures & program updates.
- Subscription: shows you your subscription status, days left, etc... you can renew your subscription here.
- Virus chest: the quarantine of AIS

7- Basic Settings

most of AIS options not related to the various modules are displayed here:

Final Notes

Avast IS is a very complete suite that will satisfy the needs from the beginner users to the advanced ones.
Its wide choice of options and modules afford a complete security of the principle layers of your system.
Not to say if set and used properly, AIS will gives you a very strong protection.
I hope the cons will be fixed in the future, AIS deserve its rank of topnotch solution.